Slashdot Mirror
Wireless Registers May Expose Your Credit Card
flynt writes: "Found this article about people sitting in Best Buy parking lots with wireless sniffers and intercepting credit card numbers that the wireless cash registers inside the store are beaming about. Gives more credence to the idea of one time use credit card numbers. Now you don't even have to be online to have your number stolen."
Lock down all ports on the server except SSH, and force the cash register client machines to tunnel through SSH for everything. I use it at home, work and university. It's better to be over security-conscious than being to relaxed about it.
However, that's just covering up the symptoms of a greater problem. It would be better if credit cards used a public/private key system, where the acocunt number is sent to the central server which responds with a random encryption challenge, then a chip on the card encrypts the string using it's key and replies. That way no useful security information is being pased around for others to intercept and use.
Follow me
Social security numbers used as identification, credit card numbers, and a whole host of other "real world" identifiers and systems are simply extremely sloppy security. In the past, that meant that only a few customers got screwed. With modern computer equipment, a lot of people get screwed.
What is particularly annoying about it is that the companies that put this sloppy security in place never really have given a damn about protecting their customers--as long as the casualties are not too many and don't frighten the masses away, it's acceptable. In most cases, companies that use sloppy identifiers or security end up not even being legally liable for the trouble and expenses they are causing their customers.
Someone down the line knows your credit card number. If you hand your card to the person at the register, then you are placing trust in them. If your information is stolen by a 3rd party, then it is because of the incompetence of whoever you placed your trust in.
According to the article, Best Buy has since stopped using wireless cash registers. Still, I think the problem is not with wireless itself, but the particular implementation Best Buy was using. Couldn't they simply encrypt the data?
Of course, credit cards are inherently problematic. Although I use credit cards, I think the system is poorly designed. Basically, you say to a guy, "here's a key to my safe, please only take what you need." IMO, it should be the reverse. We should *give* them the money, possibly by authorizing a transaction via your bank (a cell phone would be the best way, so you don't have to trust an in-store terminal) Thus, everyone would be able to give, but not take. As it stands, credit cards have the worst security of anything. It's ironic too, since a lot of us computer enthusiasts will rant all day about how everyone should be using ssh and GPG, yet we give our login and password to the waitress next time we eat.
Like you ever did need to be online to get your number stolen - easiest way to steal credit card numbers is to get a job in a retail outlet and record numbers of customers cards.
This is *the* classic error in security thinking - only consider the hardware, ignore the human factors.
with everyone paranoid about credit card theft using high tech means people seem to forget that while most internet transactions are safe, what you really need to worry about are people who actually handle your card.
The cashier has access to your nubmer. the accountant has access to your number. the manager of the store has access to your nubmer. some stores print the entire number on reciepts so anybody willing to dumpster dive has access to your number. waiters and waitresses who carry your card off to the register in a restaurant has access to your number...
and now people in the parking lot have access to your number.